Blitz-hack – Newspaper Kommersant No. 64 (7509) dated 04/13/2023

The rate of cyberattacks on the infrastructure of Russian companies has seriously decreased over the year. According to cybersecurity experts, it now takes attackers an average of only four to seven days to crack, while previously it could take months for all stages of the attack. Experts attribute this to the proliferation of easy-to-use malware on the darknet and warn that this year, attack techniques will only get easier and more widespread.

Kommersant got acquainted with the RTK-Solar study on changes in the cyber threat landscape from March 2022 to March 2023. Analysts concluded that the speed of cyber attacks has changed dramatically over the year: from the moment they penetrate the infrastructure to achieve their goals, hackers, on average, need seven days, and not several months, as before. In total, 40 incidents were analyzed related to penetration into the IT infrastructure of the largest Russian organizations representing the public sector, industry, energy, retail, telecom, media, and finance.

Sergey Golovanov, chief expert of Kaspersky Lab, agrees with this assessment, although he speaks of less drastic changes: “The time it takes for attackers to carry out a cyber attack has decreased by about 20% compared to 2021.” He linked the trend to the actions of “hacktivists” who do not use sophisticated techniques. Positive Technologies estimated the reduction in the time spent on a successful attack from several months to several days: this may be enough to obtain maximum access privileges in the victim’s infrastructure.

The key goals of the attackers, according to RTK-Solar, were encryption of infrastructure to receive monetary rewards (38% of incidents), hacktivism itself (38%) and hacking of infrastructure for the purpose of cyber espionage (20%). At the same time, 72% of incidents were implemented through vulnerabilities available on the Internet, for example, ProxyLogon (a critical vulnerability in Microsoft Exchange Server). “Hackers buy the necessary bot on the darknet, which finds a server on the network on which this vulnerability is not closed,” RTK-Solar clarifies. The company also adds that attacks through contractors have become more frequent over the year.

On specialized platforms, the Malware-as-a-Service (malicious software as a service) and Ransomware-as-a-Service (ransomware as a service) models are actively developing, Sergei Golovanov confirms. Some attackers, he explains, create malicious code and provide it on a subscription basis or for a percentage of the ransom, others penetrate the infrastructure of organizations and sell access to them, others attack and demand a ransom: “This is how attackers reduce costs and increase the effectiveness of attacks.” RTK-Solar estimates the cost of such instruments at an average of 50 thousand rubles.

Modern tools really allow hackers to implement attacks on a much larger scale and faster, says Irina Zinovkina, director of consulting at InfoWatch Group. She adds that until February 2022, the financial motive was fundamental for attackers, however, over the past year, the number of attacks with the goal of “disabling the victim’s systems as a whole” has increased significantly.

This motivation of attackers remains relevant in 2023. For example, on April 10, the Federal Customs Service (FCS) reported a malfunction in its systems, due to which customs clearance procedures in Russia were stopped. The reason for the failure of the FCS called a hacker attack, it was possible to restore the system only by April 12 (see Kommersant of April 12).

Complicating the situation is the limited availability of protection tools. When Western suppliers of intrusion protection systems left, Russian companies were faced with the need to urgently replace their solutions with domestic ones, Andrey Dugin, head of the MTS SOC (Center for Monitoring and Protection against Cyber ​​Attacks), notes: “Sometimes companies simply do not know how protected their infrastructure is.” Informzaschita agrees with this: not all services have yet found a replacement, vulnerabilities remain unpatched. As a result, the company explains, “complex cyberattacks that took several months to implement can be carried out by an amateur in a week or two.”

Tatyana Isakova